Authenticate a Client connecting to a web service

Question

Hello,

I have a WCF web service. This web service should only allow certain client applications (built with technologies like Silverlight, Flex, ClickOnce, etc) to execute it's functionality. In an attempt to accomplish this, I have started each publicly visible method with the following code:

if (IsClientValid(...) == false) return;

My question is, what should I check for? I have considered passing a unique identifier as a string parameter and then passing that parameter to the IsClientValid method. However, I know that someone could use a tool like Fiddler to sniff out that parameter value and use it in their own applications. How do I uniquely identify my client applications such that only they can utilize my WCF web services?

Thank you

Answer 1

Depending on how far you want to go you can do any number of things. In an app I worked on we did the following:

• Message security - to encrypt your messages, client must provide credentials (userNameAuthentication) with server providing serviceCertificate for message encryption.

• Custom encrypted Soap Headers were used to provide client details with each message after the initial login. This header is encrypted using a combination of values taken from the client applciation and values retrieved from the server in the intial call.

• All client outgoing messages attach the encrypted header, which the server extracts/decrypts upon reciept and the base service verifies that the required values are present.

• In addition to this, a collection of encrypted headers are stored server side to guard against replay attacks using sniffed headers.

I can provide additional resources/links to how to achieve some of this if you think you could use some of it.

Edit: Assuming that the client apps are under your control.

Answer 2

Check out client cert authentication. The basic idea is that the https connection will fail unless the client sends a valid cert, where you get to determine what is valid.